1. Field of the Invention
The present invention relates to a system and method for securely utilizing Basic Input and Output System (BIOS) services.
2. Description of the Related Art
In virtual memory subsystems, "virtual" memory addressing is employed in which the memory addresses utilized in software programs are mapped indirectly to locations in physical memory. Translation to physical addresses is typically accomplished by the processor, and such physical addresses are inaccessible to user mode software and the Basic Input/Output System (BIOS).
One example of such virtual memory subsystems is that used by Windows NT, which is manufactured and marketed by Microsoft, Inc. In particular, Windows NT incorporates a demand-paged virtual memory subsystem. The memory address space provided to a program running on the Windows NT operating system is safeguarded from other user mode programs just as other programs are protected from it. This ensures that user mode services and applications will not write over each other's memory, or execute each other's instructions. Kernel mode services and applications are protected in a similar way. If an attempt to access memory outside of a program's allocated virtual space occurs, the program is terminated and the user is notified. Virtual memory subsystems also prevent direct access by user mode software to physical memory addresses and to input/output devices that are part of a computer system.
There is an increasing trend towards the use of input/output devices on a computer system which are capable of executing operating systems using virtual memory subsystems. In such systems, there is no means for accessing memory outside of a program's virtual memory space, such as BIOS functions. One approach to this problem is to install a device driver which reads a file containing instructions for a device. The driver reads the file and writes (or downloads) these instructions into the device's memory. However, this type of device driver permits only limited addressing capability for memory and input/output operations. In addition, it does not allow execution of the system's processor instructions in physical memory space.
Accordingly, there is a need in the technology for a system and method for accessing and executing the contents of physical memory from a virtual memory subsystem, which facilitates increased addressing capability for memory and input/output operations, and which also allows execution of processor instructions directly from physical memory.
Furthermore, data stored on computer systems or platforms can be updated or configured. In certain cases, the data is extremely sensitive. A good example of configurable sensitive data is the Basic Input and Output System (BIOS) of a computer system. Typically stored in some form of non-volatile memory, the BIOS is machine code, usually part of an Operating System (OS), which allows the Central Processing Unit (CPU) to perform tasks such as initialization, diagnostics, loading the operating system kernel from mass storage, and routine input/output ("I/O") functions. Upon power up, the CPU will "boot up" by fetching the instruction code residing in the BIOS. Without any security protection, the BIOS is vulnerable to attacks through capturing and replaying of service requests to invoke functions provided by the BIOS. These attacks may corrupt the BIOS and disable the computer system.
Accordingly, there is also need to provide a system and method to verify the integrity of service requests to access or modify data in the BIOS and to enforce proper authorization limits of those remote request messages.